azure-entra-idaws-load-balancer-controller

AWS ALB Returning 401 Error Despite Successful Token Retrieval from Azure AD

I’m new to the AWS platform and need some help with the following issue:

I’m using Azure AD (Entra ID) as the identity provider (IdP) to authorize backend APIs via an AWS Application Load Balancer (ALB).

Here’s the workflow I’ve set up:

  1. After the user is authenticated, the IdP redirects them back to the ALB with an authorization grant code.
  2. The ALB exchanges the authorization grant code with the IdP token endpoint.
  3. Upon validation, the IdP provides the ALB with an ID token and an access token.

Although the token endpoint successfully retrieves the ID token and refresh token when tested with Postman, the ALB returns a 401 Authorization Required error. The ALB access logs only capture the following: "authenticate" "-" "AuthInvalidIdToken"

Below is the ALB configuration:

Authentication type: OpenID Connect (OIDC)
Issuer: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/
Token endpoint: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/oauth2/token/89
User info endpoint: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/.well-known/openid-configuration
Authorization endpoint: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/oauth2/authorize
Session cookie name: AWSELBAuthSessionCookie
On unauthenticated requests: Authenticate
Scope: api://xxxxxxxxxxxxxxxxxx/email openid offline_access profile

Can someone help me identify what might be causing the 401 error in this setup?

Solution

  • The user info endpoint was incorrect. The correct one is shown below, and it works fine after the change.

    Before - User info endpoint: https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxx/.well-known/openid-configuration

    Now - userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo